Abstract: Systems and methods are provided for distributing trust among a set of certificate authorities. One approach provides methods and systems in which the secure data parser is used to distribute trust in a set of certificate authorities during initial negotiation of a connection between two devices. Another approach provides methods and systems in which the secure data parser is used to disperse packets of data into shares. A set of tunnels is established within a communication channel using a set of certificate authorities, keys developed during the establishment of the tunnels are used to encrypt shares of data, and the shares of data are transmitted through each of the tunnels.

Abstract: The public exponent e of an RSA key is embedded in a RSA key object that lacks this exponent. During exponentiation, the public exponent e may be extracted and used to verify that the result of the exponentiation is correct. The result is output only if this is the case. The invention counters fault-attacks. Also provided are an apparatus and a computer program product.

Abstract: Devices located on a back end of a web application in a private cloud may establish secure communications to other back end devices or client devices with a secure boot device integrated in the back end device. The secure boot device enables the back end component to cryptographically split data and encrypt data for transmission to other devices through a secure communications link. The secure communications link may improve security on private cloud networks. Further the secure communications link may improve security to allow back end devices to be located remote to other back end devices.

Abstract: Embodiments disclose a reverse lookup using an IP:Port-to-hostname table to identify a hostname when only an IP address and port is present in an SSL hello connection, which may occur, for example, when a non-SNI-capable client initiates the SSL hello. Once the hostname is successfully looked up, a naming convention is used to simplify the management and identification of SSL certificates. Different types of SSL certificates are supported. Multiple hostname matches may be associated with a given IP address and port in the IP:Port-to-hostname table. In such case, the first-matching hostname is always used with the naming convention to identify related SSL certificates. The naming convention is applied in such a way that it will first look for the most matching file name to the least matching file name.

Abstract: A device that implements a method for performing integrated caching in a data communication network. The device is configured to receive a packet from a client over the data communication network, wherein the packet includes a request for an object. At the operating system/kernel level of the device, one or more of decryption processing of the packet, authentication and/or authorization of the client, and decompression of the request occurs prior to and integrated with caching operations. The caching operations include determining if the object resides within a cache, serving the request from the cache in response to a determination that the object is stored within the cache, and sending the request to a server in response to a determination that the object is not stored within the cache.

Abstract: A communication apparatus for performing connection type communication includes a first memory configured to store pieces of communication endpoint information relating to communication endpoints of connection, and a moving device configured to move, among the pieces of communication endpoint information stored in the first memory, communication endpoint information of connection set in a disconnection wait state, from the first memory to a second memory.

Abstract: A computationally implemented method includes, but is not limited to: determining that a computing device that was presenting one or more portions of one or more items and that was in possession of a first user has been transferred from the first user to a second user; and marking, in response to said determining, the one or more portions of the one or more items to facilitate the computing device in returning to the one or more portions upon the computing device being at least transferred back to the first user. In addition to the foregoing, other method aspects are described in the claims, drawings, and text forming a part of the present disclosure.

Abstract: A device within the network receives a domain name service (DNS) request for an address of a first resource outside the network, the first resource associated with a security policy of the network. An address of a second resource within the network is returned to the device within the network in response the DNS request, the second resource address having previously been associated with the first resource address. A first encrypted connection is established between the device and the second resource, and a second encrypted connection is established between the second resource and the first resource, to facilitate encrypted communication traffic between the device and the first resource. The encrypted communication traffic passing between the device and the first resource is selectively decrypted and inspected depending on the address of the first resource.

Abstract: One or more file sharing computers receives a client request including an IP address and port number used by the client (computer). The one or more computers respond by creating an enhanced file handle from a hash on a combination of the IP address, port number, restricted key, and a standard file handle, and concatenating the hash with the standard file handle. The enhanced file handle is sent to the client and used by the client in a second request. The one or more computers uncouple the standard file handle and hash combination. Using the client IP address, port number, restricted key and standard file handle from the client second request, the one or more computers create a second combination. The second combination hash is compared to the first combination hash and in response to determining a match, the second request is accepted, and otherwise denied.

Abstract: A facsimile communication system which is capable of selectively performing encrypted communication or non-encrypt communication according to the intention of a user. A transmitting-side digital multifunction machine inputs the port address of a receiving-side digital multifunction machine according to a user operation, and designates encrypted communication for transmitting IFP packets of image information, via an IP network, after encrypting the IFP packets, or non-encrypt communication for transmitting IFP packets of image information, via the IP network, without encrypting the IFP packets. The receiving-side digital multifunction machine determines whether the input port address is for an encrypted communication port or a non-encrypt communication port, and sends a response containing an associated port number to the transmitting-side digital multifunction machine.

Abstract: An embodiment of the invention provides a data encryption method for an electrical device. The method comprises: generating an identification code corresponding to the electrical device; generating a temporary key according to the identification code; encrypting first data to generate a first secret key according to the temporary key and a first encryption mechanism; and encrypting the first secret key by a second encryption mechanism to generate an encrypted key.

Abstract: A persistent connection is used for real-time or near real-time data transfer from a push platform on a network to a mobile station. To establish and maintain the persistent connection between the mobile station and push platform on the network, various protocols are defined over a packet connection between the mobile station and push platform. The real-time or near real-time data is pushed or sent by the push platform to the mobile station, as the data becomes available from a data source. In particular, heartbeat messages are used to determine whether or not the persistent connection is alive and available for real-time or near real-time data transfer. When the persistent connection is lost, the mobile station uses a retry connection scheme based on the number of connection attempts made by the mobile station for establishing a new persistent connection to the push platform.

Abstract: A client application, when executed by a processor, is operative to create a HyperText Transfer Protocol (HTTP) request containing a target header that includes a confidential value. The HTTP request is to be sent over a Secure Sockets Layer (SSL) 3.0 connection or a Transport Layer Security (TLS) 1.0 connection to a web server. The client application implements at its HTTP layer a countermeasure to a blockwise chosen-boundary attack. The client application generates an additional header having a header name that is not recognizable by the web server and inserts the additional header into the HTTP request ahead of the target header, thus creating a modified HTTP request. The modified HTTP request is to be sent, instead of the unmodified HTTP request, over the SSL 3.0 connection or the TLS 1.0 connection to the web server.

Abstract: A method for generating and delivering a message via a web service is provided. A message for a recipient is converted to a URL and sent. A request is received from a sender having a first type of security to send a message also having the first type of security to the recipient having a second type of security. A URL message is created in response to receiving the request to send the message to the recipient and the URL message is sent to the recipient. A URL message response is received from the recipient and provides a landing message to the recipient in response to receiving the URL message response. The landing message includes a hint requesting an answer from the recipient. An answer is received from the recipient and the message is sent to the recipient using the second type of security in response to receiving the answer.

Abstract: A method and apparatus for secure generation of a short-term key SK for viewing information content in a Multicast-broadcast-multimedia system are described. A short-term key is generated by a memory module residing in user equipment (UE) only when the source of the information used to generate the short-term key can be validated. A short-term key can be generated by a Broadcast Access Key (BAK) or a derivative of BAK and a changing value with a Message Authentication Code (MAC) appended to the changing value. A short-term key (SK) can also be generated by using a private key and a short-term key (SK) manager with a corresponding public key distributed to the memory module residing in the user equipment (UE), using a digital signature.

Abstract: A system and method for establishing a virtual private network (VPN) between a client and a private data communication network. An encrypted data communication session, such as a Secure Sockets Layer (SSL) data communication session, is established between a gateway and the client over a public data communication network. The gateway then sends a programming component to the client for automatic installation and execution thereon. The programming component operates to intercept communications from client applications destined for resources on the private data communication network and to send the intercepted communications to the gateway via the encrypted data communication session instead of to the resources on the private data communication network.

Abstract: Methods, a client entity, network entities, a system, and a computer program product perform authentication between a client entity and a network. The network includes at least a bootstrapping server function entity and a network application function entity. The client entity is not able to communicate with both of the network entities in a bidirectional manner. The 3GPP standard Ub reference point between the client entity and the bootstrapping server function entity is not utilized for authentication purposes, such as authentication using GAA functionality for unidirectional network connections.

Abstract: A telematics system that includes a security controller is provided. The security controller is responsible for ensuring secure access to and controlled use of resources in the vehicle. The security measures relied on by the security controller can be based on digital certificates that grant rights to certificate holders, e.g., application developers. In the case in which applications are to be used with vehicle resources, procedures are implemented to make sure that certified applications do not jeopardize vehicle resources' security and vehicle users' safety. Relationships among interested entities are established to promote and support secure vehicle resource access and usage. The entities can include vehicle makers, communication service providers, communication apparatus vendors, vehicle subsystem suppliers, application developers, as well as vehicle owners/users.

Abstract: Methods and systems for detection and/or prevention of network attacks can include the use of multiple and/or time-dependent addresses coupled with filtering by the directory or naming service. The directory service can respond to requests for the address of a resource by returning an address that can be relocated over time by coordinating the directory service entry with the host and network address configuration data and/or by returning an address specific to the requestor. Thus, the directory service can track and build profiles of matches between requestors and accesses. The methods and systems can use the time dependent addresses and profiles to distinguish legitimate accesses from unauthorized or malicious ones. Requests for non-valid addresses can be misdirected to “empty” addresses or to detection devices.

Abstract: Embodiments associated with enabling Quality of Service (QoS) for MACsec protected frames are described. One example method includes identifying a security indicator in an encrypted network communication and selectively forwarding the encrypted network communication according to a QoS policy. The example method may also include selectively storing a control packet security indicator sniffed from a control packet network communication in response to determining that a match exists between a control packet identification field and a QoS database entry.

Abstract: A method for improving network application security and the system thereof are disclosed in the invention, relating to the field of information security.

Abstract: The present invention is directed towards systems and methods for split proxying Secure Socket Layer (SSL) communications via intermediaries deployed between a client and a server. The method includes establishing, by a server-side intermediary, a SSL session with a server. A client-side intermediary may establish a second SSL session with a client using SSL configuration information received from the server-side intermediary. Both intermediaries may communicate via a third SSL session. The server-side intermediary may decrypt data received from the server using the first SSL session's session key. The server-side intermediary may transmit to the client-side intermediary, via the third SSL session, data encrypted using the third SSL session's session key. The client-side intermediary may decrypt the encrypted data using the third SSL session's session key. The client-side intermediary may transmit to the client the data encrypted using the second SSL session's session key.

Abstract: A method of authenticating a radio frequency identification (RFID) reader to efficiently and timely check of revocation status of the RFID reader includes the steps of checking whether a given certificate is expired or revoked, and allowing a user of an RFID tag to verify that the credentials and revocation status information reported to the tag by reader is correct and current/valid before permitting information transmission from the RFID tag to the reader. An RFID tag includes a passively powered display and a user activatable control which allows the method to be carried out with the tag. The tag may include encrypted communication ability and automatic certificate revocation list checking. (This method is applicable not just to RFID but to any technology involving purely passive operation, i.e., where the tag obtains power from a reader).

Abstract: A method and system for controlling a firewall for a user computer system. One or more processors of the user computer system receive a control request to control a program of the user computer system by the firewall. The control request includes a condition pertaining to at least one process of a remote computer system. The at least one process is configured to be executed on the remote computer system. The firewall protects the user computer system from external threats. The processors store a remote system condition associated with the program of the user computer system. The remote system condition includes the condition pertaining to the at least one process. The processors ascertain whether the remote system condition is satisfied. The processors direct the firewall to block or allow the transmission of data if it is ascertained that the remote system condition is not satisfied or satisfied, respectively.

Abstract: A protocol delay measuring device prevents an increase of the processing overhead of a communication terminal attributed to a protocol delay measurement. The measuring device determines the protocol delay by using first and second timestamps created respectively before and after a processed packet is obtained from an unprocessed packet by IPsec processing by the communication terminal. An acknowledges creates an identifier of the unprocessed packet. A timestamp database stores the created identifier along with the first timestamp and writes the identifier in a storage where the identifier is kept the same before and after the IPsec processing by the communication terminal. A correlator reads the identifier from the storage and extracts the first timestamp stored along with the same identifier as the read identifier in the timestamp database. A calculator calculates the difference between the extracted first timestamp and the second timestamp as the protocol delay.

Abstract: A method and a system for establishing a security connection between switch equipments are disclosed in the present invention. The system includes the first switch equipment and the second switch equipment; the first switch equipment sends the switch key negotiation activation packet and the switch key negotiation response packet to the second switch equipment; the second switch equipment sends the switch key negotiation request packet to the first switch equipment. The embodiments of the present invention provide a security policy for data security transmission between switch equipments by establishing shared switch key between each two switch equipments, thus guaranteeing the confidentiality of the data transmission process between switch equipments in the data link layer. The calculation burden of switch equipment and the delay of the data packets transmitted from the transmission end to the reception end can be reduced and the efficiency of network transmission can be improved.

Abstract: A system and method can provide subnet manager (SM) restrictions in an InfiniBand (IB) network. A first SM in a subnet in the IB network operates to determine whether a second SM associated with a remote port is trustworthy. Furthermore, the first SM is allowed to send at least one of a request and a response that contains a management key to the second SM, if the first SM determines that the second SM is trustworthy. Additionally, the first SM is prevented from attempting to initiate communication with the second SM, if otherwise.

Abstract: A voice-over-Internet-Protocol (VoIP) client codes audio data as printable ASCII characters, then embeds the ASCII audio data inside a cookie that is sent over the Internet within an HTTP GET message. The GET message is sent to a server acting as a call proxy or external manager that forwards the audio data to a remote client. Return audio data is sent back to the client in the normal data field of an HTTP response message from the server. When the client receives the HTTP response, it sends another GET message without audio data, allowing the server to send another response. This empty GET allows VoIP to pass through strict firewalls that pair each HTTP response with a GET. For secure-sockets layer (SSL), client and server exchange pseudo-keys in hello and finished messages that establish the SSL session. Audio data is streamed in SSL messages instead of encrypted data.

Abstract: A control or supervision system incorporates a digital serial communication and modules which are mutually communicable to this and operate with CAN-protocol. A control desk can be wirelessly connected to one or more modules operating with a signal protocol which takes no account of arbitration and/or confirmation functions appearing in the CAN-system. A particular receiving communication part executes the conversion of said signal protocol to the signal protocol of the CAN-system. A device for controlling a function in a first module in a CAN-system via a wireless connection to a second module in said system. A system of mutually separate units, whereof each unit operates with a CAN-signalling protocol, intercommunicable by means of radiocommunications operating with an identification system in which a key allocation between the units is based upon identities that are assigned by a module in the unit or a master system.

Abstract: A more secure TCP/IP protocol stack is provided having an enhanced transport layer. Encryption and decryption logic is arranged on the transmission side and on the reception side for processing a payload of a transport layer protocol, such as TCP or UDP. By employing this enhanced transport layer, a cryptograph process communication can be realized by dissolving various kinds of restrictions which a conventional IPsec or SSL possesses without affecting upper layer processing, and, at the same time, maintaining compatibility with the IP layer.

Abstract: A MACSec packet exposes selected tags in front of the MACSec tag. Different embodiments are directed to methods and apparatuses of various network nodes, that send, forward, and receive packets. Anther embodiment is the MACSec data structure on a computer readable medium. Another embodiment is the upgrade process of a legacy network.

Abstract: A method and apparatus for resolving a cousin domain name to detect web-based fraud is described. In one embodiment, the method for resolving cousin domain names of a legitimate domain name comprising applying at least one rule to a domain name to generate one or more candidate cousin domain names and comparing the at least one candidate cousin domain name with legitimate domain information to identify the legitimate domain name that is imitated by at least one portion of the domain name.

Abstract: The system and method for passively identifying encrypted and interactive network sessions described herein may distribute a passive vulnerability scanner in a network, wherein the passive vulnerability scanner may observe traffic travelling across the network and reconstruct a network session from the observed traffic. The passive vulnerability scanner may then analyze the reconstructed network session to determine whether the session was encrypted or interactive (e.g., based on randomization, packet timing characteristics, or other qualities measured for the session). Thus, the passive vulnerability scanner may monitor the network in real-time to detect any devices in the network that run encrypted or interactive services or otherwise participate in encrypted or interactive sessions, wherein detecting encrypted and interactive sessions in the network may be used to manage changes and potential vulnerabilities in the network.

Abstract: Embodiments include a method comprising loading a software class containing class information for a lock state. The method includes allocating an instance of a software object derived from the software class, wherein the allocating includes allocating of a lock word as part of the instance of the software object. The lock word defines whether the object is locked by a thread of multiple threads. The method includes observing activity relative to the instance of the software object. The method also includes, responsive to observing the activity relative to the instance of the software object that indicates that the lock state of the instance of the object is non-locking, removing the lock word from the instance of the object.

Abstract: The present invention provides a method and a system for negotiation based on IKE messages. A standby device updates a value of a stored third identity according to an update notification of an active device. The update notification of the active device is sent by the active device after updating a value of a stored second identity. When the standby device switches to a new active device, the new active device sends a second message for negotiating IPSec information to a peer device according to the updated third identity. The third identity is an identity that is stored in the standby device and used to acquire state information of the active device.

Abstract: An encrypted communication apparatus determines a security protocol in IPsec to be applied to an IP packet, and calculates, based on the determined security protocol, a packet size which prevents the IP packet from being fragmented even if IPsec is applied to the IP packet. The packet size to be calculated is independent of an encryption algorithm and authentication algorithm which are actually specified by the determined security protocol.

Abstract: A method and apparatus for adaptive packet ciphering is disclosed. The apparatus can include a transceiver capable of communicating in a wireless network and specifying a packet number (PN) and an integrity check value (ICV) as separate packet data units (PDUs) in a stream of a PDUs. The data between a PN-PDU and an ICV-PDU can be enciphered as a single payload of concentrated PDUs.

Abstract: A system and method for controlling data communications between a server and a client device, such as a mobile device. Embodiments relate generally to a technique where stop data is provided to the client device. This stop data can be transmitted (e.g. by the client device) to the server. When processed by the server, the stop data indicates to the server that at least some of the encrypted data received by the client device from the server was not decrypted using the second key (e.g. as may be the case when the second key has been deleted). Upon receiving the stop data, the server may, for example, withhold the transmission of data encrypted with the first key to the client device until the second key is restored on the client device. In one embodiment, the stop data is provided to the client device in an encoded (e.g. encrypted) form.

Abstract: Server-assisted secure function evaluation (SFE) is performed with input consistency verification for two parties that want to evaluate a function. The server computes a garbled circuit corresponding to the function. A predefined bit of the 0-secret of wire i in the garbled circuit is set to a random bit bi and a predefined bit of the 1-secret of wire i in the garbled circuit is set to bi. The server communicates with each party using an Oblivious Transfer (OT) to provide encrypted versions of the respective inputs of each party. Each party receives the encrypted wire secret of the other party and the garbled circuit for computation of a respective output and stores the predefined bit of a wire of interest of the other party. A given party can verify input consistency by the other party over at least two executions by comparing the values stored by the given party for the at least two executions with corresponding values obtained from the server.

Abstract: According to an example, a detection message may be sent for security association detection for Internet protocol security. The detection message includes a detection flag. The detection message may be an encapsulated message including the detection flag.

Abstract: For a data transfer, security is negotiated via a control channel operating in accordance with a first protocol. The data is transmitted responsive to the security negotiation on a data channel operating in accordance with a second protocol. For example, a described implementation involves using a security control protocol and a separate secure data transfer protocol that operate cooperatively, but independently, to provide flexible application layer security with highly efficient data transfers.

Abstract: The invention provides a method for trust relationship detection between a core and access network for a user equipment. The gist is that a security tunnel establishment procedure is used so one entity, be it part of the core network or be it the user equipment itself, is provided with information to determine whether the access network is trusted or untrusted. The information may comprise a first IP address/prefix, which is initially assigned to the user equipment, upon attaching to the access network. The necessary information may further comprise a second IP address/prefix, which is an address/prefix that is allocated at a trusted entity of the core network. Depending which entity determines the trust relationship of the access network, it might be necessary to transmit either the first IP address/prefix or the second IP address/prefix or the first and the second IP address/prefix using the security tunnel establishment procedure.

Abstract: Techniques for using a network analyzer device connected to a network include (a) sniffing packets traversing the network between a web-based application server and a user machine, the user machine being operated by a user, (b) analyzing the sniffed packets to extract event information relating to interaction events between the user machine and the web-based application server, and (c) sending the extracted event information to an authentication server for risk-based authentication of the user.

Abstract: A method for reducing power consumption in a wireless communication system includes: generating a descramble initial value by using at least some bits of identification information of an STA, which is known to an AP or base station and the STA; generating a first descramble sequence by using the generated descramble initial value and comparing at least some bits of the generated first descramble sequence with at least some bits of a service field of a currently-received signal; as the comparison result, when it is determined that the destination of the currently-received signal is not set to the STA, stopping the signal reception; and as the comparison result, when it is determined that the destination of the currently-received signal is set to the STA, generating a second descramble sequence by using the descramble initial value and descrambling the currently-received signal.

Abstract: The present invention is directed towards systems and methods for distributed operation of a plurality of cryptographic cards in a multi-core system. In various embodiments, a plurality of cryptographic cards providing encryption/decryption resources are assigned to a plurality of packet processing engines in operation on a multi-core processing system. One or more cryptographic cards can be configured with a plurality of hardware or software queues. The plurality of queues can be assigned to plural packet processing engines so that the plural packet processing engines share cryptographic services of a cryptographic card having multiple queues. In some embodiments, all cryptographic cards are configured with multiple queues which are assigned to the plurality of packet processing engines configured for encryption operation.

Abstract: Techniques are provided for enabling application steering/blocking in a secure network which includes a network entity, and a first tunnel endpoint coupled to the network entity over an encrypted tunnel. The first tunnel endpoint associates at least a first Security Parameter Index (SPI) to a first application identifier to generate first mapping information (MI), communicates the first MI to the network entity, and transmits an encrypted message to the network entity over the encrypted tunnel. The encrypted message includes an encrypted packet and an unencrypted header including the first SPI. The network entity determines the first SPI from the unencrypted header, determines the first application identifier based on the first SPI and the first MI, and identifies a first application associated with the first application identifier. The network entity can still perform application steering/blocking even though traffic passing through the tunnel is encrypted.

Abstract: A communication system may be configured to provide multiple levels of security for a communication link between a first node and a second node of a network. The system may be further configured to select a first level of security from the multiple levels of security for transmitting first data send by a first client via the first node to the second node and to select a second level of security from the multiple levels of security for transmitting second data send by a second client via the first node to the second node, the second level of security being different than the first level of security.

Abstract: A fetch unit (a) fetches a block of instruction data from an instruction cache of the microprocessor; (b) performs an XOR on the block with a data entity to generate plain text instruction data; and (c) provides the plain text instruction data to an instruction decode unit. In a first instance the block comprises encrypted instruction data and the data entity is a decryption key. In a second instance the block comprises unencrypted instruction data and the data entity is Boolean zeroes. The time required to perform (a), (b), and (c) is the same in the first and second instances regardless of whether the block is encrypted or unencrypted. A decryption key generator selects first and second keys from a plurality of keys, rotates the first key, and adds/subtracts the rotated first key to/from the second key, all based on portions of the fetch address, to generate the decryption key.

Abstract: A method for implementing a mandatory access control model in operating systems which natively use a discretionary access control scheme. A method for implementing mandatory access control for a plurality of computers, the system comprising information assets, stored as files on the computers, and a network communicatively connecting the computers, wherein each of the computers includes an operating system that uses a discretionary access control policy, and wherein each of a subset of computers includes a software agent component operable to intercept a request for a file operation on a file from a user of one of the computers including the software agent, determining whether the file is protected, if the file is protected, altering ownership of the file from the user to another owner, and providing access based on a mandatory access control policy.

Abstract: The present invention is directed towards systems and methods for managing SSL session persistence and reuse in a multi-core system. A first core may indicate that an SSL session established by the first core is non-resumable. Responsive to the indication, the core may set an indicator at a location in memory accessible by each core of the multi-core system, the indicator indicating that the SSL session is non-resumable. A second core of the multi-core system may receive a request to reuse the SSL session. The request may include a session identifier of the SSL session. In addition, the session identifier may identify the first core as an establisher of the SSL session. The second core can identify from encoding of the session identifier whether the second core is not the establisher of the SSL session. Responsive to the identification, the second core may determine whether to resume the SSL session.